Page 1 of 1

Mixing CSF with Unbound

Posted: 15 Oct 2019, 09:04
by adamreece-webbox
Brief explanation:

We use CSF+LFD on all of our Linux based servers of which are endpoints, in that they are not required to do any IP forwarding/routing. (We'd use Shorewall for that.) This includes our internal office servers.

We also use two Unbound instances as our office DNS resolver, particularly as we have various internal only DNS mappings we need to establish.

I have however noticed interference with Unbound when it receives DNS replies resulting in poor performance, and with some domain names (particularly BBC and WebEx) not resolving at all. The problem comes from response traffic on port 53 (UDP) is often being caught despite CSF being configured to accept incoming traffic on port 53 (both UDP and TCP).

Specifically its because the source port is 53 rather than the destination port, of which is random, for example:

Code: Select all

[41590801.013058] Firewall: *UDP_IN Blocked* IN=ens192 OUT= MAC=whatever SRC=remote-dns-server DST=local-server-running-unbound LEN=108 TOS=0x1C PREC=0x00 TTL=102 ID=3495 PROTO=UDP SPT=53 DPT=12526 LEN=88
[41590801.015630] Firewall: *UDP_IN Blocked* IN=ens192 OUT= MAC=whatever SRC=remote-dns-server DST=local-server-running-unbound LEN=108 TOS=0x1C PREC=0x00 TTL=103 ID=19356 PROTO=UDP SPT=53 DPT=61325 LEN=88
[41590801.068867] Firewall: *UDP_IN Blocked* IN=ens192 OUT= MAC=whatever SRC=remote-dns-server DST=local-server-running-unbound LEN=108 TOS=0x1C PREC=0x00 TTL=102 ID=60199 PROTO=UDP SPT=53 DPT=41867 LEN=88

Chain "INPUT" includes the following:

Code: Select all

12       0     0 ACCEPT     tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:53
40   20617 1422K ACCEPT     udp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            ctstate NEW udp dpt:53
Chain "OUTPUT" includes the following:

Code: Select all

16       0     0 ACCEPT     tcp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:53
43       0     0 ACCEPT     udp  --  *      !lo     0.0.0.0/0            0.0.0.0/0            ctstate NEW udp dpt:53
I see that those rules are all about looking at the destination port, so I guess what I need CSF to be able to do is define a rule regarding the source port, though I guess this wouldn't be the most wise idea as anyone could in theory establish a connection defining their source port as 53 to connect to any destination port they choose, whether or not it is intentionally allowed.

(Those also show that the TCP 53 rules I defined are likely unnecessary as this system has over a year of uptime.)

Is there any advice for running CSF on a Linux instance of which is also expected to be a DNS resolver? (Not a DNS forwarder.)

Thanks for reading, and again thanks for CSF+LFD as a whole. (Overall a fantastic product I'm very pleased with.)